Companies unaware of open source usage, vulnerabilities
More than half (57%) of cyber security professionals who participated in a recent survey claim their organisations have no process for keeping track of their open source software usage.
In addition, 30% of respondents stated that they did not have a way to manage their open source security; while 27% maintained that their organisations did not use open source software at all.
The survey was conducted by the Synopsys Software Integrity Group, Asia Pacific, during the recent GovernmentWare conference that anchored the 2018 Singapore International Cyber Week (SICW).
As the Synopsys GovWare 2018 survey involved C-level and other security executives and middle management practitioners, the result relating to their awareness of open source security was surprising. As the authors of the survey report noted, their responses were particularly troubling given the widespread use of open source software across all sectors.
Open source components
According to the 2018 open source security and Risk Analysis (OSSRA) report, open source components were evident in 96% of applications scanned during Black Duck On-Demand audits of 1 100 commercial codebases over a period of one year between 2017 and 2018. In 2017, Forrester Research estimated that only 10% to 20% of all new code in applications could be considered proprietary.
Yet asked about their organisation's approach to using open source software components and/or frameworks, only 43% of the GovWare 2018 survey respondents stated that they had an established process to inventory and manage open source code.
Less than one third (30%) said their organisations used open source, but did not have a process to inventory or manage its use. And then almost as many (27%) stated that they did not use open source code at all.
With those responses, it is interesting to note that 22% of respondents claimed that their organisations did not have any challenges at all in implementing an application security programme. This is in contrast to the 56% who were concerned about their lack of skilled security personnel or training; 18% who bemoaned their budget constraints; and 17% who claimed they had little management buy-in for such programmes.
The GovWare 2018 survey respondents were asked to identify their top security concerns (with multiple answers permitted). Just less than half (49%) of respondents named threat or breach detection; and 36% stated that protecting data and IP was top of their concern list.
"If organisations don't know what open source they use - or mistakenly believe they don't use open source at all - they can't monitor it for newly discovered vulnerabilities and they can't apply patches." the GovWare 2018 report authors point out.
The report stresses that "just because you can consume open source code freely doesn't mean you can redistribute it freely".
"Many popular open source licenses require that any software containing the licensed code carry the same license - in other words, the source code has to be made public. Organisations expose themselves to significant risk in terms of both data breaches and loss of IP by not regularly scanning their software to evaluate its contents."